If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Germany declares hacking tools 'verboten'

The revamp to the German criminal code is designed to tighten definitions, making denial of service attacks and attempts to sniff data on third-party wireless networks, for example, clearly criminal. Attacks would be punishable by a fine and up to 10 years imprisonment.

Previously, only attacks against companies and government organisations were indictable offences. The regulations, passed last week, also make it illegal for unauthorised users to bypass computer security protection to access secure data.

Under these provision it becomes an offense to create, use or distribute so-called "hacking tools". Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems.

The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are not properly covered in the legislation, critics argue. Taken as read, the law might even even make use of data recovery software to bypass file access permissions and gain access to deleted data potentially illegal.

"Forbidding this software is about as helpful as forbidding the sale and production of hammers because sometimes they also cause damage," Chaos Computer Club spokesman Andy Müller-Maguhn told Ars Technica. "Safety research can [now] take place only in an unacceptable legal gray area."

While making life more difficult for security consultants and sys admins, the new laws will, paradoxically, make it easier for police to use hacking tactics in gathering intelligence on suspects. The practice - declared verboten by German courts earlier this year - could be reinstated under the new laws, according to Müller-Maguhn.

i already mentioned it here in the forum... they say "you will only get punished if you use such tools for criminal activities". But the situation with the security tools and pentesters is not clearly stated in the law. So we definetly will have to get the judges state out the situation.

Perhaps they will sniff my internet connection and do a survey before i can access sites like metasploit or milw0rm or even the forums here.
And they will ask questions like: "will you use this information for criminal activities? Are you a member of a terrorist organisation? If you can answer one question with yes, please leave your adress, phone number, hair and eye color, shoe size, ID number and all other stuff related to you here. Scan your fingerprints and send them with your fingernails, some hair and a urine sample to the state Office of Criminal Investigation. We will contact you."

Damn, this part of the new law is like shooting yourself in the foot. You know what they did? They got this law through the Lower House of German Parliament, on a friday morning at 2 am. at 2 am, if i would sit there, i would wink every sh** through just to finish the day. Arrrgh.....

Damn, this part of the new law is like shooting yourself in the foot. You know what they did? They got this law through the Lower House of German Parliament, on a friday morning at 2 am. at 2 am, if i would sit there, i would wink every sh** through just to finish the day. Arrrgh.....

A very similar thing happened in the state government of where myself and Prez98 live. They passed themselves a pay raise on the last day of the session before a break at around 1am. I believe just about every single person that voted for that pay raise lost in the next election. Something to remember, democracy does work in some cases.

Really sad thing is, I went to high school with one of the guys that voted for the pay raise and I didn't believe that he did it, because when I knew him, he had better morals than that.

A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Under the " Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems."(EU) europa#eu/scadplus/leg/en/lvb/l33193#htm) we can expect more similar laws showing up in Europe. While Germany does not lead EU, it is one of the main countries and lets be honest....Europe is so socialized ( read overrun by government control) that this will appeal to many officials (especially if you make exception for law enforcement).
This debate reminds me allot of gun debate. Freedom, reason and personal security/responsibility on one side and government power, control etc on other.
If i'm right on this then Europe is in allot of trouble.
On the other hand...will it mean more jobs for pen-testing experts from U.S. remotely....